7 Reasons Your ISMS Is Not Audit-Ready (And How to Fix Each One)

The global average cost of a data breach reached USD 4.44 million in the IBM Cost of a Data Breach Report 2025. That number is exactly why companies build an information security management system (ISMS) and why customers increasingly demand an ISO® 27001 certificate or a TISAX® label before they sign. But building an ISMS and being audit-ready are not the same thing.

An ISMS can look complete on the surface - folders full of policies, a risk register, a stack of controls - and still fail to convince an auditor. Most first-time audits surface nonconformities, usually documentation or process gaps, that must be closed before the certificate is issued. The good news: the same handful of problems shows up again and again, and every one of them is fixable.

Here are the seven reasons an ISMS is most often not audit-ready, and how to fix each one.

1. Your risk assessment is outdated

Risk assessment is the engine of an ISMS. Every control you select should trace back to a risk you decided to treat. The problem is that most risk assessments are done once, at the start of the project, and then quietly age. Twelve months later the company has new systems, new suppliers, new people and new threats - and the risk register still describes last year's company. An auditor will notice immediately, because the dates, the assets and the named owners no longer match reality.

The fix: treat risk assessment as a living process, not a one-off document. Review it on a fixed schedule and whenever something material changes - a new tool, a new vendor, an incident. Each risk needs a current owner, a treatment decision and a review date. Keep the assessment and the resulting control selection in one place so the link between them stays visible.

2. Policies exist but are not approved or lived

Almost everyone has policies. The trouble is that they were downloaded, lightly edited, never formally approved by management, and never read by the people they govern. An access-control policy that says one thing while the team does another is worse than no policy at all - it is documented evidence of a gap. Auditors test this constantly: they read the policy, then ask an employee what actually happens.

The fix: every policy needs a clear owner, a version, an approval by top management and a real review date. More importantly, it has to describe what the organization actually does. Where reality and policy disagree, fix one of them. Make sure staff know the policies exist and can find them. Starting from proven templates helps you avoid both extremes - empty boilerplate and unmaintained sprawl. Valiido's 1-Click Examples give you policy and process drafts that are already mapped to the requirements, so you adapt rather than invent. See 1-Click Examples.

3. Controls are documented but not implemented

ISO® 27001:2022 Annex A lists 93 controls. A common misunderstanding is that all 93 must be implemented - they do not. Controls are selected based on your risks, and the Statement of Applicability assesses every one of them, including those you exclude and why. The real failure is subtler: a control is written down, marked "done" in a spreadsheet, but never actually operating. Logging is "in place" yet no one reviews the logs. Access is "reviewed quarterly" yet the last review was never run. On paper the ISMS is complete; in practice it is hollow.

The fix: for every control you claim, be able to show it working. Evidence, not assertion: a log sample, a ticket, a completed review, a screenshot of a configuration. Check controls continuously rather than scrambling the week before the audit. This is where Valiido's AuditMagic helps - it checks your ISMS against three criteria, ISO® 27001, TISAX® and Valiido best practices, and flags the controls that are documented but not yet backed by evidence, so gaps surface early. See how AuditMagic works.

4. Internal audit is missing or run too late

ISO® 27001 Clause 9.2 requires an internal audit of the management system. It is not optional, and it is not the certification audit - it is your own check that the ISMS works, run before the auditor arrives. Many organizations skip it, or run it as a rushed formality two weeks before the external audit. Either way there is no real evidence that the ISMS has been independently tested, which is itself a finding.

The fix: plan the internal audit well ahead of the certification date, cover the whole management system over the cycle, and document what you found and what you did about it. Treat internal audit findings as a gift: every issue you catch yourself is one the external auditor will not raise. Independence matters - the person auditing a process should not be the person who runs it.

5. Your management review is not documented

ISO® 27001 Clause 9.3 requires top management to review the ISMS at planned intervals - looking at risks, incidents, audit results, objectives and the resources the system needs. Companies often do a version of this informally in management meetings, but nothing is written down. To an auditor, an undocumented management review did not happen.

The fix: hold the management review as a deliberate agenda item, cover the inputs the standard expects, and record the decisions and actions that come out of it. Keep the minutes. The review is also the moment leadership confirms the ISMS still has the budget and people it needs - which is exactly the kind of commitment auditors look for.

6. Supplier and third-party risk is ignored

Your security is only as strong as the suppliers who touch your data. ISO® 27001:2022 Annex A.5.19 to A.5.22 covers supplier relationships, the security terms in supplier agreements, managing security within those relationships, and managing changes to supplier services. Many ISMS projects focus entirely on internal controls and forget that a cloud provider, a payroll processor or a development contractor can be the weakest link.

The fix: keep a list of suppliers who process or access your information, classify them by risk, set security expectations in your agreements and review the important ones periodically. You do not need to audit every vendor to the same depth - prioritize by how much access and sensitivity is involved. Document the process so the auditor can see it is systematic, not ad hoc.

7. There is no clear overview and no structured path through the requirements

This is the reason underneath many of the others. Documentation lives in five different tools, nobody can say what is finished and what is open, and the requirements of the standard never get connected to the work in one place. Without a single overview, gaps stay invisible until the auditor finds them, and the team works hard without ever being sure they are working on the right things.

The fix: work from one structured path that maps every requirement to a status, an owner and the evidence behind it. That is what the Valiido Guide provides - a clear, step-by-step route through ISO® 27001 and TISAX® that shows where you stand at any moment, so audit-readiness is a state you can see rather than guess at. If you want to understand the broader approach, read how to build an ISMS without a consultant and our overview of the best ISMS software.

Your audit-readiness checklist

Run through this before you book the certification audit. If you cannot answer "yes" to each line, you have a gap to close.

• The risk assessment was reviewed recently and reflects the company as it is today.
• Every policy is approved by top management, current, and matches what people actually do.
• Each selected control can be shown working, with evidence rather than a checkbox.
• The Statement of Applicability covers all 93 Annex A controls, including the ones you excluded and why.
• An internal audit (Clause 9.2) has been run and its findings are documented and addressed.
• A management review (Clause 9.3) has taken place and the minutes are on file.
• Suppliers who touch your data are listed, risk-rated and covered by your agreements (Annex A.5.19-A.5.22).
• One overview shows every requirement, its owner, its status and its evidence.

Close the gaps before the auditor finds them

None of these seven problems is exotic. They are the predictable result of building an ISMS without a clear path and without continuous checking. Fix the path and the checking, and audit-readiness follows. Valiido gives you the structured route, the ready-made examples and the continuous checks in one platform, from EUR 149/month, and the approach behind it carries a 98.7% first-attempt pass rate. See the examples or read how AuditMagic checks your ISMS.

Frequently Asked Questions

How long does it take to make an ISMS audit-ready?

It depends on where you start, but most of the work is closing the seven gaps above rather than building from scratch. With a clear path and continuous checking, an organization with the basics in place can reach audit-readiness in a few months; one starting cold needs longer. The biggest time sink is usually evidence collection, which is exactly why checking controls continuously beats a last-minute scramble.

Do all 93 Annex A controls have to be implemented?

No. ISO® 27001:2022 Annex A contains 93 controls, but you select them based on your risks. The Statement of Applicability assesses all 93 - including the ones you exclude, with the reason for each exclusion. Implementing controls you do not need wastes effort; excluding a control you do need without justification is a finding.

What is the difference between an internal audit and the certification audit?

The internal audit (Clause 9.2) is your own independent check that the ISMS works, run before certification. The certification audit is carried out by an external body to decide whether the certificate is issued. A documented internal audit is a requirement of the standard, and running one properly is the single best way to catch findings before the external auditor does.

Why does the management review matter so much to auditors?

Because Clause 9.3 is where top management demonstrates that the ISMS is actually governed - that leadership looks at risks, incidents and results and commits the resources the system needs. If it is not documented, the auditor treats it as not having happened, regardless of what was discussed informally.

How does Valiido help with audit-readiness?

Valiido combines three things that prevent the seven gaps: a structured path through ISO® 27001 and TISAX® via the Valiido Guide, ready-to-adapt 1-Click Examples mapped to the requirements, and AuditMagic, which checks your ISMS against ISO® 27001, TISAX® and Valiido best practices and surfaces gaps early. Plans start at EUR 149/month.

Valiido is not affiliated with ISO®, TISAX®, ENX® or VDA®. These trademarks belong to their respective owners.